Skip to main content
Version: v0.16.0

get-kubeconfig

Obtain a kubeconfig file that uses ack-ram-tool as the credential plugin.

It has the following features:

  • Automatically obtains a new certificate before the certificate expires.
  • Supports using temporary certificate.
  • Integrate ack-ram-authenticator.

Usage

$ ack-ram-tool credential-plugin get-kubeconfig --cluster-id c5e***

kind: Config
apiVersion: v1
clusters:
    - name: kubernetes
      cluster:
        server: https://106.*.*.*:6443
        certificate-authority-data: LS0tL***
contexts:
    - name: 272***-c5e***
      context:
        cluster: kubernetes
        user: "272***"
current-context: 272***-c5e***
users:
    - name: "272***"
      user:
        exec:
            command: ack-ram-tool
            args:
                - credential-plugin
                - get-credential
                - --cluster-id
                - c5e***
                - --api-version
                - v1beta1
                - --expiration
                - 3h
                - --log-level
                - error
            apiVersion: client.authentication.k8s.io/v1beta1
            provideClusterInfo: false
            interactiveMode: Never
preferences: {}

$ ack-ram-tool credential-plugin get-kubeconfig --cluster-id c5e*** > kubeconfig
$ kubectl --kubeconfig kubeconfig get ns
NAME                         STATUS   AGE
default                      Active   6d3h
kube-node-lease              Active   6d3h
kube-public                  Active   6d3h
kube-system                  Active   6d3h

--mode ram-authenticator-token

$ ack-ram-tool credential-plugin get-kubeconfig --mode ram-authenticator-token --cluster-id c5e***

kind: Config
apiVersion: v1
clusters:
    - name: kubernetes
      cluster:
        server: https://106.*.*.*:6443
        certificate-authority-data: LS0t***
contexts:
    - name: 272***-c5e***
      context:
        cluster: kubernetes
        user: "272***"
current-context: 272***-c5e***
users:
    - name: "272***"
      user:
        exec:
            command: ack-ram-tool
            args:
                - credential-plugin
                - get-token
                - --cluster-id
                - c5e***
                - --api-version
                - v1beta1
                - --log-level
                - error
            apiVersion: client.authentication.k8s.io/v1beta1
            provideClusterInfo: false
            interactiveMode: Never
preferences: {}

Flags

Usage:
  ack-ram-tool credential-plugin get-kubeconfig [flags]

Flags:
      --api-version string            v1 or v1beta1 (default "v1beta1")
  -c, --cluster-id string             The cluster id to use
      --credential-cache-dir string   Directory to cache certificate (default "~/.kube/cache/ack-ram-tool/credential-plugin")
      --expiration duration           The certificate expiration (default 3h0m0s)
  -h, --help                          help for get-kubeconfig
  -m, --mode string                   credential mode: certificate or ram-authenticator-token (default "certificate")
      --private-address               Use private ip as api-server address
      --role-arn string               Assume an RAM Role ARN when send request or sign token

Global Flags:
  -y, --assume-yes                      Automatic yes to prompts; assume "yes" as answer to all prompts and run non-interactively
      --ignore-aliyun-cli-credentials   don't try to parse credentials from config.json of aliyun cli
      --ignore-env-credentials          don't try to parse credentials from environment variables
      --log-level string                log level: info, debug, error (default "info")
      --profile-file string             Path to credential file (default: ~/.aliyun/config.json or ~/.alibabacloud/credentials)
      --profile-name string             using this named profile when parse credentials from config.json of aliyun cli
      --region-id string                The region to use (default "cn-hangzhou")

Descriptions:

FlagDefaultRequiredDescription
-c, --cluster-idYesCluster ID
-m, --modecertificateAuthentication methods in kubeconfig: certificate indicates certificate authentication, and ram-authenticator-token indicates token authentication based on ack-ram-authenticator
--expiration3hWhen --mode is set to certificate, set the certificate expiration time through this parameter. When it is 0, it means not to use a temporary certificate but to use a longer valid certificate (the expiration time is automatically determined by the server).
--private-addressfalseWhether to use the intranet API server address?
--api-versionv1beta1Specify which version of apiVersion to use in the returned data. v1beta1 represents client.authentication.k8s.io/v1beta1, and v1 represents client.authentication.k8s.io/v1.
--credential-cache-dir~/.kube/cache/ack-ram-tool/credential-pluginThe directory used to cache the certificate is only valid when --mode is set to certificate
--role-arnAssume an RAM Role ARN when send request or sign token